Patchwork [v2] hostapd: add GTK MIC corruption test option

login
register
mail settings
Submitter Johannes Berg
Date May 2, 2013, 2:10 p.m.
Message ID <1367503825-11499-1-git-send-email-johannes@sipsolutions.net>
Download mbox | patch
Permalink /patch/241008/
State Accepted
Commit 7af092a015f64a47caa298a7938f6337a05d39c2
Headers show

Comments

Johannes Berg - May 2, 2013, 2:10 p.m.
From: Johannes Berg <johannes.berg@intel.com>

For some testing it can be useful to force the GTK MIC to be
corrupt. Add an option to allow setting a probability for
corrupting the key MIC and use it in the WPA code, increasing
the first byte of the MIC by one to corrupt it if desired.

Change-Id: Ibb729cda701ea2445d2702629f38472eaf210499
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
---
 hostapd/config_file.c  | 1 +
 hostapd/hostapd.conf   | 3 +++
 src/ap/ap_config.c     | 1 +
 src/ap/ap_config.h     | 1 +
 src/ap/wpa_auth.c      | 9 +++++++++
 src/ap/wpa_auth.h      | 3 +++
 src/ap/wpa_auth_glue.c | 9 +++++++--
 7 files changed, 25 insertions(+), 2 deletions(-)
Jouni Malinen - May 4, 2013, 8:47 a.m.
On Thu, May 02, 2013 at 04:10:25PM +0200, Johannes Berg wrote:
> For some testing it can be useful to force the GTK MIC to be
> corrupt. Add an option to allow setting a probability for
> corrupting the key MIC and use it in the WPA code, increasing
> the first byte of the MIC by one to corrupt it if desired.

Thanks, updated with some changes in the comments to make it clear that
this is referring to the Key MIC field in group EAPOL-Key frames and not
the MIC field in the Data frames protected with GTK.
Johannes Berg - May 4, 2013, 12:25 p.m.
On Sat, 2013-05-04 at 11:47 +0300, Jouni Malinen wrote:
> On Thu, May 02, 2013 at 04:10:25PM +0200, Johannes Berg wrote:
> > For some testing it can be useful to force the GTK MIC to be
> > corrupt. Add an option to allow setting a probability for
> > corrupting the key MIC and use it in the WPA code, increasing
> > the first byte of the MIC by one to corrupt it if desired.
> 
> Thanks, updated with some changes in the comments to make it clear that
> this is referring to the Key MIC field in group EAPOL-Key frames and not
> the MIC field in the Data frames protected with GTK.

Good point, thanks.

johannes

Patch

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 21104d3..62136ca 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2893,6 +2893,7 @@  static int hostapd_config_fill(struct hostapd_config *conf,
 		PARSE_TEST_PROBABILITY(ignore_auth_probability)
 		PARSE_TEST_PROBABILITY(ignore_assoc_probability)
 		PARSE_TEST_PROBABILITY(ignore_reassoc_probability)
+		PARSE_TEST_PROBABILITY(corrupt_gtk_rekey_mic_probability)
 #endif /* CONFIG_TESTING_OPTIONS */
 		} else if (os_strcmp(buf, "vendor_elements") == 0) {
 			struct wpabuf *elems;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 6a1c500..f98ec20 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1540,6 +1540,9 @@  own_ip_addr=127.0.0.1
 #
 # Ignore reassociation requests with the given probability
 #ignore_reassoc_probability=0.0
+#
+# Corrupt GTK rekey packet MIC with the given probability
+#corrupt_gtk_rekey_mic_probability=0.0
 
 ##### Multiple BSSID support ##################################################
 #
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 70b26a6..7ab86fc 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -168,6 +168,7 @@  struct hostapd_config * hostapd_config_defaults(void)
 	conf->ignore_auth_probability = 0.0d;
 	conf->ignore_assoc_probability = 0.0d;
 	conf->ignore_reassoc_probability = 0.0d;
+	conf->corrupt_gtk_rekey_mic_probability = 0.0d;
 #endif /* CONFIG_TESTING_OPTIONS */
 
 	return conf;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index f9629a2..16134da 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -526,6 +526,7 @@  struct hostapd_config {
 	double ignore_auth_probability;
 	double ignore_assoc_probability;
 	double ignore_reassoc_probability;
+	double corrupt_gtk_rekey_mic_probability;
 #endif /* CONFIG_TESTING_OPTIONS */
 };
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 4ecae2d..dfe0354 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1347,6 +1347,15 @@  void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 		}
 		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
 				  key->key_mic);
+#ifdef CONFIG_TESTING_OPTIONS
+		if (!pairwise &&
+		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d &&
+		    drand48() < wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
+			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+					"Corrupting GTK MIC");
+			key->key_mic[0]++;
+		}
+#endif
 	}
 
 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 465eec6..8dc6a6f 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -160,6 +160,9 @@  struct wpa_auth_config {
 #endif /* CONFIG_IEEE80211R */
 	int disable_gtk;
 	int ap_mlme;
+#ifdef CONFIG_TESTING_OPTIONS
+	double corrupt_gtk_rekey_mic_probability;
+#endif
 };
 
 typedef enum {
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index fdaaaff..fc2c1d0 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -28,6 +28,7 @@ 
 
 
 static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
+				  struct hostapd_config *iconf,
 				  struct wpa_auth_config *wconf)
 {
 	os_memset(wconf, 0, sizeof(*wconf));
@@ -74,6 +75,10 @@  static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 #ifdef CONFIG_HS20
 	wconf->disable_gtk = conf->disable_dgaf;
 #endif /* CONFIG_HS20 */
+#ifdef CONFIG_TESTING_OPTIONS
+	wconf->corrupt_gtk_rekey_mic_probability =
+		iconf->corrupt_gtk_rekey_mic_probability;
+#endif
 }
 
 
@@ -509,7 +514,7 @@  int hostapd_setup_wpa(struct hostapd_data *hapd)
 	const u8 *wpa_ie;
 	size_t wpa_ie_len;
 
-	hostapd_wpa_auth_conf(hapd->conf, &_conf);
+	hostapd_wpa_auth_conf(hapd->conf, hapd->iconf, &_conf);
 	if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EAPOL_TX_STATUS)
 		_conf.tx_status = 1;
 	if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_AP_MLME)
@@ -583,7 +588,7 @@  int hostapd_setup_wpa(struct hostapd_data *hapd)
 void hostapd_reconfig_wpa(struct hostapd_data *hapd)
 {
 	struct wpa_auth_config wpa_auth_conf;
-	hostapd_wpa_auth_conf(hapd->conf, &wpa_auth_conf);
+	hostapd_wpa_auth_conf(hapd->conf, hapd->iconf, &wpa_auth_conf);
 	wpa_reconfig(hapd->wpa_auth, &wpa_auth_conf);
 }